Tag Archives: Mr Smith

ICO planning data loss penalties for multiple firms

The Information Commissioner’s Office (ICO) has said that it is gearing up to hand out historic fines against various businesses and organisations which it has found to be in breach of the rules of the Data Protection Act after the loss or theft of private information.

The ICO’s David Smith said that by imposing these fines, it would send out a message to all firms, showing that the consequences of improper security and data handling policies would be severe.

Mr Smith told V3.co.uk that many observers had questioned whether or not the ICO would actually use new powers and hand out significant fines to offending firms. He explained that impending action would prove that it does not stand for businesses who do not meet the data protection standards expected of them.

Mr Smith would not divulge any information relating to the businesses being targeted by the ICO, but promised that further details would be published online with relative speed.

The ICO’s detractors have not only complained that it has failed to use its powers to fine with any kind of frequency, but have also pointed out that the half a million pound maximum, which was introduced earlier in the year, cannot be seen as a significant sum by the largest businesses who have the potential to suffer from the biggest data loss incidents.

The ICO wants to see businesses and organisations take responsibility for the data which they are charged with protecting and Mr Smith said that firms would also need to adhere to data retention limits and erase personal details after the expiry of the agreed upon term, rather than clinging to old information for as long as possible.

The most divisive aspect of Mr Smith’s statement was an allusion to home phone and broadband provider TalkTalk, which recently got into hot water, because it was monitoring the web activities of users, in order to test a new anti-malware service. Mr Smith said that firms could not get away with acting in a clandestine manner just because they were conducting a trial.

The ICO aims to make data protection more transparent, so that ordinary people can be assured that their information will be kept safe, without having to scour the terms and conditions of a given service.

UK ranked fifth in cyber attack survey

For every 1000 computers in the UK there are 107 cyber attacks, putting the country in fifth place in global rankings according to a report from data protection firm SecureWorks.

Topping the chart, with the fewest attacks pro rata, was India, with only 52 attacks recorded for every 1000 PCs, suggesting that criminals are finding it easier to harness infected machines within organisations as well as those owned by individuals in the UK than in many of its contemporaries.

SecureWorks’ Jon Ramsey said that criminals were controlling vast domestic botnets in most nations around the world and it was because of unchecked vulnerabilities that many businesses were leaving themselves open to exploitation.

Mr Ramsey also pointed out that by allowing computers to become and remain infected and malleable, malicious parties were being given opportunities to attack others.

There are a range of factors that influence the number of cyber attacks and data thefts that occur within a country, including the average connection speeds and the way in which internet service providers (ISPs) protect their users and detect threats. The distribution of operating systems also plays a part, as most hackers target Windows in order to ensure the most widespread levels of infection.

SecureWorks concluded that although the threats are significant, in many cases avoiding infection can be as simple as following the basic rules of computer security whether at home or at work. This includes regularly updating data security software to combat new threats and only accepting downloads and attachments from sources you trust whilst avoiding unsolicited emails.

SecureWorks’ Don Smith said that cyber attacks can not only compromise precious data within an organisation, but also impact upon productivity and revenue as the ripples spread. Mr Smith believes that many businesses only act on security flaws once they have been exploited by a cyber attack and that this means that some incidents are entirely avoidable.

Mr Smith suggests that businesses need to take a multi-faceted approach to data security and data loss prevention, incorporating standard measures with modern analytical tools and encryption techniques to ensure that all systems are water tight and thus far more difficult for criminals to infect.

ICO data breach reports exceed 1000

Over 1000 data security breaches have been recorded by the Information Commissioner’s Office (ICO) since its creation, causing the organisation to once more call for improved protection measures within both the public and private sectors.

The ICO’s David Smith said that data could be lost or stolen as the result of a variety of events, but that the real threat still lies with the potential for human error when involved in any kind of security procedure.

Mr Smith said that organisations would need to treat data security with a greater deal of respect, and that only with vigilance could future incidents be averted.

The ICO is pushing for the delivery of improved training programs so that staff are readily able to deal with data securely, as well as instilling into those in positions which involve frequent data handling a sense as to the value that personal information holds, not just for the individual, but for the business as a whole.

The ICO is keen for businesses to disclose any incidents of data loss or theft to the proper authorities, with the objective of building widespread employee understanding as how these procedures work and more importantly why they are essential.

The 1000 cases reported to the ICO include over 300 originating from within various sections of the NHS, making this the largest single contributor to the ICO’s workload. 288 reports from the private sector were recorded, although there are some who believe the real figure may be far higher as many incidents are likely to be going unreported.

Data encryption expert Chris McIntosh said that the ICO was right to encourage awareness in this field, but he also believes that significantly more effort is required if businesses and organisations are to minimise the risks they face on a daily basis.

Mr McIntosh believes a proactive approach to secure data storage that involves engaging staff as well as addressing any issues as they arise without blaming those in direct contact with the data will result in a far tighter, cohesive environment in data protection.

EU rules to force reporting of data loss and breaches

Reports suggest that the EU could soon force businesses across the continent to publicly report when an incident involving data loss or a system security breach occurs.

The Information Commissioner’s Office (ICO) would have the power to demand information about serious compromises to data stored by businesses and organisations if a new EU directive governing data protection comes into force.

Telecommunications firms and broadband providers are already set to be subject to similar rules which ensure that data breaches are reported, and this may be rolled out across all businesses, according to the ICO’s David Smith.

Mr Smith was speaking to an audience at the Infosec 2010 event. He said that the EU’s Privacy and Electronic Communications directive is going to come into force before 2012, after which time all businesses could face the same level of scrutiny.

The rules would only apply in the event of ‘serious’ data breaches, and Mr Smith recognised that this would require a broad level of understanding in order for businesses to identify precisely what is meant by this. He accepted that the ICO could be the recipient of thousands of minor breach reports which could hamper its operation and he recognises that proper training will need to be given.

The ICO said that in the three years leading up to 2010 there were a total of 962 serious data breaches reported. These figures cover both public and private organisations. The NHS was the most frequent entrant onto the list.

The combined total of the NHS incidents means that it accounts for 33 per cent of the total figure. This factors in 113 reports of data or hardware being stolen, and a further 224 reports of losses from within the organisation.

Mr Smith pointed out that these figures represent only the reports that businesses and organisations in the UK were willing to make voluntarily. This could mean that the actual numbers are considerably higher, particularly in the private sector where businesses are seen to be answerable only to their shareholders and not the public at large.

Cloud security improvements requested by Microsoft

In a bid to increase confidence in cloud computing, Microsoft is calling for legislative and regulatory action from vendors and the US government aimed at improving the security of current cloud platforms.

Microsoft’s senior VP Brad Smith told the Washington D.C. based think tank at the Brookings Institute last week that businesses were not being provided with enough motivation to switch from in-house data backup and storage systems over to the cloud.

As a cloud provider itself Microsoft is of course affected and Mr Smith’s call for transparency in cloud security measures and standards would also require that the US government took it upon itself to create policies designed to police cloud computing. Mr Smith also suggested that there should be stronger powers available to punish criminals seeking to compromise the integrity of cloud systems.

Mr Smith said that cloud vendors could only win the trust of businesses if they were willing to openly explain how their data was stored and in what way it would be used by them. The involvement of a third party in any aspect of a business’ operation is always going to come under scrutiny and when valuable data is involved this is intensified.

The flow of data from individual PCs in a business network to the cloud would need to be governed by the elected authorities, said Mr Smith. Protecting the privacy of the individual in the eyes of the state would also have to be ensured and it is getting this balance of transparency and security right that is clearly the biggest challenge facing businesses and cloud vendors.

Mr Smith pushed for wider debate on the international stage concerning the regulation and operation of the cloud, because it is clearly necessary to keep global as well as national legislation in step with the ever-progressing technology involved.

Microsoft has evidence to support its desire for a more thorough discussion of cloud security and data protection policy, as a recent survey it commissioned found that 90 per cent of business owners are questioning the security and privacy of data stored using cloud computing. The survey also found that there is much enthusiasm for cloud computing, with 86 per cent saying that they were interested in the opportunities it offers.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal